Checkmarx researchers recently identified a critical issue Cross-site scripting Vulnerabilities (XSS) on the website of the polling company Gallup that they say could have been used by malicious actors to gain access to the polling company's platform.
The research notes that XSS is a vulnerability that could allow attackers to gain “complete control over an application's functionality and data,” especially if the impersonated user has been granted special access.
By allowing arbitrary code execution, the vulnerability could even have granted threat actors the ability to add unauthorized items to users' shopping carts (as the site also sells customizable surveys and books).
Risk of misinformation
The vulnerabilities were discovered in June 2024 but have since been patched. However, in an age where reliable and secure information is so vital, especially when it comes to political opinion, the consequences of the flaw could have been dire. It is possible that a malicious actor posted survey results or false information on the site, the Checkmarx team confirmed.
“In an era where misinformation and identity theft pose significant threats, the security of polling platforms is crucial, particularly during crucial global election cycles,” the report notes. “It is important to note that this endpoint is routinely used to access Gallup polls, which may make users more susceptible to exploitation.”
The 2024 election cycle has seen particularly high rates of misinformation and attempts at election interference, so it is important for companies with influence or prominence to ensure security on their sites to keep information safe.
Website defacement is a relatively common practice used by hackers to spread their message or embarrass site owners, but in this case the information could easily have been disguised as legitimate, with the intent of influencing voters. In a notoriously close election race, the votes from key states in particular have an impact, so any potential vulnerability should be closely monitored.
